bren2310
asked on
Password Security
I have a reasonably well encripted login page (java applet) but I'm not sure how to protect the target page / frameset from being bookmarked and then called direct bypassing the login page. Is there a javascript which I can place in the target frameset which will automatically divert surfers to the login page if it hasn't been called from there.
Every site I've visited seems to be able to do this so I'm probably asking a stupid question.
Regards
Bren2310
Every site I've visited seems to be able to do this so I'm probably asking a stupid question.
Regards
Bren2310
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That's another problem. You have to determine if user is logged in or not. Maybe you could use INCLUDE to include one site if user's logged or include another one if he isn't.
Also you can use browser authorization (Basic is the most used). You don't have cookies accepted if you use it, although you have to determine if this authorization is set or not.
I think this problem will Java not handle. Try PHP. It's fast and easy.
regards
Also you can use browser authorization (Basic is the most used). You don't have cookies accepted if you use it, although you have to determine if this authorization is set or not.
I think this problem will Java not handle. Try PHP. It's fast and easy.
regards
It's fairly standard for Single Sign-on systems to use an encrypted cookie. Once decrypted, the cookie will reveal the user's identity, and some sort of expiry time. When the user connects, the web server reads the headers, and if the cookie doesn't exist, or has expired, the user is redirected to a login page. (On a Microsoft web server, this would be done with an ISAPI filter - presumably other web servers support similar APIs.) As far as HTTP is concerned, the connections are anonymous.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are hosting your site using apache web server, you can turn on follow symbolic links for the directory contains html file. As i know with this setting of a directory you cannot access a file by directly entering the address of the file. Then you can direct your client from your login page...
ASKER
Thank you for all your responses so far. My problem is that whilst I know what I'm doing with javascript & html using perl or asp or whatever is something I'm not familiar with and am having to learn as I go along.
In response to GtG - those hosting the site do use the apache web server. Unfortunately I am using front page for most of the site and need the front page extensions installed. This effectively makes using the apache web server security options a non-starter.
Do you / does anyone know how to make use of Front Page's ability to set up sub webs which provide similar protection.
Brendan (bren2310)
In response to GtG - those hosting the site do use the apache web server. Unfortunately I am using front page for most of the site and need the front page extensions installed. This effectively makes using the apache web server security options a non-starter.
Do you / does anyone know how to make use of Front Page's ability to set up sub webs which provide similar protection.
Brendan (bren2310)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As a side note to my comment, the nice thing about that setup is that even if the client doesn't support cookies, they can at least view files in the private directory as long as the web browser stays open, as it re-submits the basic authentication information when required for the private files. When the browser is closed, if the user wants to access the private files again, they have to re-enter the authentication information, or, if they have a cookie set with the authentication information, the cookie can bypass the need for the basic authentication. If you searched google for keywords such as "basic authentication http 401 www-authenticate", and the CGI scripting language you're using, you could probably find some good examples.
This is how I personally protect a web site not meant for the general public.
This is how I personally protect a web site not meant for the general public.
depending on your server type i think easiest form of access control would be using simple authentication with either auth-rules or htaccess files.. if you are using a programming language for dynamic content cookes/sessions is an option...